test: check how systemd-resolved deals with zone transfers

Even though systemd-resolved doesn't support zone transfers (AXFR/IXFR),
it should still just refuse such requests without choking on them.

See: https://github.com/systemd/systemd/pull/30809#issuecomment-1880102804
This commit is contained in:
Frantisek Sumsal 2024-01-07 22:22:52 +01:00
parent b4f17b07cf
commit 5bd1122843
2 changed files with 19 additions and 1 deletions

View File

@ -19,6 +19,11 @@ acl:
address: fd00:dead:beef:cafe::/64
action: update
- id: transfer_acl
address: 10.0.0.0/24
address: fd00:dead:beef:cafe::/64
action: transfer
remote:
- id: parent_zone_server
address: 10.0.0.1@53
@ -94,8 +99,9 @@ zone:
- domain: test
dnssec-policy: auto_rollover_nsec3
# A fully (pre-)signed zone
# A fully (pre-)signed zone with allowed zone transfers (AXFR/IXFR)
- domain: signed.test
acl: [update_acl, transfer_acl]
# A fully (online)-signed zone
# See: https://www.knot-dns.cz/docs/3.1/singlehtml/index.html#mod-onlinesign

View File

@ -413,6 +413,18 @@ grep -qF "; fully validated" "$RUN_OUT"
run resolvectl openpgp mr.smith@signed.test
grep -qF "5a786cdc59c161cdafd818143705026636962198c66ed4c5b3da321e._openpgpkey.signed.test" "$RUN_OUT"
grep -qF "authenticated: yes" "$RUN_OUT"
# Check zone transfers (AXFR/IXFR)
# Note: since resolved doesn't support zone transfers, let's just make sure it
# simply refuses such requests without choking on them
# See: https://github.com/systemd/systemd/pull/30809#issuecomment-1880102804
run dig @ns1.unsigned.test AXFR signed.test
grep -qE "SOA\s+ns1.unsigned.test. root.unsigned.test." "$RUN_OUT"
run dig AXFR signed.test
grep -qF "; Transfer failed" "$RUN_OUT"
run dig @ns1.unsigned.test IXFR=43 signed.test
grep -qE "SOA\s+ns1.unsigned.test. root.unsigned.test." "$RUN_OUT"
run dig IXFR=43 signed.test
grep -qF "; Transfer failed" "$RUN_OUT"
# DNSSEC validation with multiple records of the same type for the same name
# Issue: https://github.com/systemd/systemd/issues/22002